OpenNebula
Freeipa integration in opennebula
HI All,
Opennebula is great in the virtualization. Now , I try to configure the ldap provider freeipa with the opennebula.
I configured the freeipa user accounts integration into the opennebula. But, I cant integrate the freeipa group with the opennebula.
Below is the error and the conf file .
server 1: # Ldap user able to query, if not set connects as anonymous. For # Active Directory append the domain name. Example: # [email protected] #:user: 'admin' #:password: 'stackmax'
# Ldap authentication method
:auth_method: :simple
# Ldap server
:host: ipa.xaas.int
:port: 389
# Connection and authentication timeout
#:timeout: 15
# Uncomment this line for tls connections, use :simple_tls or :start_tls
#:encryption: :simple_tls
# base hierarchy where to search for users and groups
:base: 'dc=xaas,dc=int'
# group the users need to belong to. If not set any user will do
:group: 'cn=stackmax,cn=groups,cn=accounts,dc=xaas,dc=int'
# field that holds the user name, if not set 'cn' will be used
:user_field: 'cn'
# for Active Directory use this user_field instead
#:user_field: 'sAMAccountName'
# field name for group membership, by default it is 'member'
#:group_field: 'member'
# user field that is in the group group_field, if not set 'dn' will be used
#:user_group_field: 'dn'
# Generate mapping file from group template info
:mapping_generate: false
# Seconds a mapping file remain untouched until the next regeneration
:mapping_timeout: 300
# Name of the mapping file in OpenNebula var diretory
:mapping_filename: server1.yaml
# Key from the OpenNebula template to map to an AD group
:mapping_key: GROUP_DN
# Default group ID used for users in an AD group not mapped
:mapping_default: 1
# use RFC2307bis for groups
# if false, depending on your LDAP server configuration,
# set user_field and user_group_field 'uid' and group_field 'memberUid'
:rfc2307bis: false
Error in oned.log :
Trying LDAP server server 1 Mon Aug 29 20:23:35 2022 [Z0][AuM][D]: Message received: LOG I 20 User monish is not in group cn=stackmax,cn=groups,cn=accounts,dc=xaas,dc=int
Mon Aug 29 20:23:35 2022 [Z0][AuM][I]: User monish is not in group cn=stackmax,cn=groups,cn=accounts,dc=xaas,dc=int Mon Aug 29 20:23:35 2022 [Z0][AuM][D]: Message received: LOG I 20 Could not authenticate user monish
Mon Aug 29 20:23:35 2022 [Z0][AuM][I]: Could not authenticate user monish Mon Aug 29 20:23:35 2022 [Z0][AuM][D]: Message received: AUTHENTICATE FAILURE 20 -
Mon Aug 29 20:23:35 2022 [Z0][AuM][E]: Auth Error: Mon Aug 29 20:23:35 2022 [Z0][ReM][D]: Req:720 UID:-1 IP:127.0.0.1 one.user.info invoked , -1, false Mon Aug 29 20:23:35 2022 [Z0][ReM][E]: Req:720 UID:- one.user.info result FAILURE [one.user.info] User couldn't be authenticated, aborting call. Mon Aug 29 20:23:35 2022 [Z0][AuM][D]: Message received: LOG I 21 Command execution failed (exit code: 255): /var/lib/one/remotes/auth/ldap/authenticate
So there is this error in the log:
Mon Aug 29 20:23:35 2022 [Z0][AuM][D]: Message received: LOG I 20 User monish is not in group cn=stackmax,cn=groups,cn=accounts,dc=xaas,dc=int
Authorization is required if you specify the :group: param, can you verify the user is a member of the group?
Yes there is the user is the member of that group...
On Mon, Aug 29, 2022, 8:43 PM Jan Orel @.***> wrote:
So there is this error in the log:
Mon Aug 29 20:23:35 2022 [Z0][AuM][D]: Message received: LOG I 20 User monish is not in group cn=stackmax,cn=groups,cn=accounts,dc=xaas,dc=int
Authorization is required if you specify the :group: param, can you verify the user is a member of the group?
— Reply to this email directly, view it on GitHub https://github.com/OpenNebula/one/issues/5955#issuecomment-1230457318, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZO3IVWGQVQAV3JG7L3DNIDV3THTFANCNFSM576E7ZOA . You are receiving this because you authored the thread.Message ID: @.***>
In the above chat I pasted my ldap entry in opennebula
On Mon, Aug 29, 2022, 8:51 PM Jan Orel @.***> wrote:
Could you paste the user LDAP entry?
— Reply to this email directly, view it on GitHub https://github.com/OpenNebula/one/issues/5955#issuecomment-1230466614, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZO3IVXCRJB3RI4BIKUSEM3V3TIONANCNFSM576E7ZOA . You are receiving this because you authored the thread.Message ID: @.***>
Ldap authentication method
:auth_method: :simple
Ldap server
:host: ipa.xaas.int :port: 389
Connection and authentication timeout
#:timeout: 15
Uncomment this line for tls connections, use :simple_tls or :start_tls
#:encryption: :simple_tls
base hierarchy where to search for users and groups
:base: 'dc=xaas,dc=int'
group the users need to belong to. If not set any user will do
:group: 'cn=stackmax,cn=groups,cn=accounts,dc=xaas,dc=int'
field that holds the user name, if not set 'cn' will be used
:user_field: 'cn'
for Active Directory use this user_field instead
#:user_field: 'sAMAccountName'
field name for group membership, by default it is 'member'
#:group_field: 'member'
user field that is in the group group_field, if not set 'dn' will be used
#:user_group_field: 'dn'
Generate mapping file from group template info
:mapping_generate: false
Seconds a mapping file remain untouched until the next regeneration
:mapping_timeout: 300
Name of the mapping file in OpenNebula var diretory
:mapping_filename: server1.yaml
Key from the OpenNebula template to map to an AD group
:mapping_key: GROUP_DN
Default group ID used for users in an AD group not mapped
:mapping_default: 1
use RFC2307bis for groups
if false, depending on your LDAP server configuration,
set user_field and user_group_field 'uid' and group_field 'memberUid'
:rfc2307bis: false
Any news on this?
On Mon, Aug 29, 2022, 8:51 PM Jan Orel @.***> wrote:
Could you paste the user LDAP entry?
— Reply to this email directly, view it on GitHub https://github.com/OpenNebula/one/issues/5955#issuecomment-1230466614, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZO3IVXCRJB3RI4BIKUSEM3V3TIONANCNFSM576E7ZOA . You are receiving this because you authored the thread.Message ID: @.***>
Sorry for the silence, this really looks like a configuration issue. Please double-check the group membership.